#Create threads to run the Subroutines parallely my $thr1 = threads->create(\&parseAppEventLog, "Application"); my $thr2 = threads->create(\&parseSysEventLog, "System"); #Join the threads to execute the Subroutines $thr1->join(); $thr2->join(); #<-------Funtion to Parse AppEvent -----># sub parseAppEventLog { my ($first,$count); $first = $count = 0; my $msg; my $event; my $found = 0; my $EventLog; my $eventSource = $_[0]; my $limit = getLinenoApp(); #my @app_config_field2 = read_file($config_file1) or die "Config file for $config_file1 is missing or could not read - $!"; $EventLog = new Win32::EventLog( $eventSource, '' ) || die $!; $EventLog->GetOldest($first) || die $!; $EventLog->GetNumber($count) || die $!; $Win32::EventLog::GetMessageText = 1; $EventLog->Read((EVENTLOG_SEEK_READ | EVENTLOG_BACKWARDS_READ),$first+$count,$event); open (my $out_app,">$outputfile1") or die "cannot create App event output file - $!"; if ($limit == 0) { $msg = "Common-App##Windows ".$eventSource." Event Log - Event log has not increased in size since last run"; print $out_app $msg; #exit (0); } for my $i ($first+$count-$limit+1..$first+$count) { $EventLog->Read((EVENTLOG_SEQUENTIAL_READ|EVENTLOG_BACKWARDS_READ),0,$event); my $source = $event->{'Source'}; my $timewritten = $event->{'Timewritten'}; my $id = $event->{'EventID'} & 0xffff; #to get a readable EventId my $type = $event->{'EventType'}; my $category = $event->{'Category'}; my $strings = $event->{'Strings'}; my $computer = $event->{'Computer'}; my $eventmsg = $event->{'Message'}; #---Application Common ------# if (length($app_num_common) !=0 ) { my $fr_app_num_common = qr/$app_num_common/; if($id =~ /\b$fr_app_num_common\b/) { #$msg = "1.3.6.1.4.1.326##Windows ".$eventSource." Event Log error-EventID:".$id."-".$eventmsg; $msg = "Common-App##Windows error-EventID:".$id."-".$eventmsg; print $out_app $msg ; } } if (length($app_string_common) !=0 ) { #print $eventmsg; if($eventmsg =~ m/$app_string_common/i) { #$msg = "1.3.6.1.4.1.326##Windows ".$eventSource." Event Log error-EventID:".$id."-".$eventmsg; $msg = "Common-App##Windows error-EventID:".$id."-".$eventmsg; print $out_app $msg; } } #----IIS System ----# if (length($app_num_iis) !=0 ) { my $fr_app_num_iis = qr/$sys_num_iis/; if($id =~ /\b$fr_app_num_iis\b/) { $msg = "IIS##Windows IIS Event Log error-EventID:".$id."-".$eventmsg; print $out_app $msg ; } } if (length($app_string_iis) !=0 ) { #print $eventmsg; if($eventmsg =~ m/$app_string_iis/i) { $msg = "IIS##Windows IIS Event Log error-EventID:".$id."-".$eventmsg; print $out_app $msg; } } #-------Powerpath System ------# if (length($app_num_powerpath) !=0 ) { my $fr_app_num_powerpath = qr/$sys_num_powerpath/; if($id =~ /\b$fr_app_num_powerpath\b/) { $msg = "Powerpath##Windows Powerpath Event Log error-EventID:".$id."-".$eventmsg; print $out_app $msg ; } } if (length($app_string_powerpath) !=0 ) { #print $eventmsg; if($eventmsg =~ m/$app_string_powerpath/i) { $msg = "Powerpath##Windows Powerpath Event Log error-EventID:".$id."-".$eventmsg; print $out_app $msg; } } } close($out_app); } #<-------Funtion to Parse SysEvent -----># sub parseSysEventLog { my ($first,$count); $first = $count = 0; my $msg; my $event; my $found = 0; my $EventLog; my $limit_sys = getLinenoSys(); my $eventSource = $_[0]; # print $limit_sys; #my @app_config_field2 = read_file($config_file1) or die "Config file for $config_file1 is missing or could not read - $!"; $EventLog = new Win32::EventLog( $eventSource, '' ) || die $!; $EventLog->GetOldest($first) || die $!; $EventLog->GetNumber($count) || die $!; $Win32::EventLog::GetMessageText = 1; $EventLog->Read((EVENTLOG_SEEK_READ | EVENTLOG_BACKWARDS_READ),$first+$count,$event); open (my $out_sys,">$outputfile2") or die "cannot create sys event output file - $!"; if ($limit_sys == 0) { $msg = "Common-Sys##Windows ".$eventSource." Event Log - Event log has not increased in size since last run"; print $out_sys $msg; #exit (0); } for my $i ($first+$count-$limit_sys+1..$first+$count) { $EventLog->Read((EVENTLOG_SEQUENTIAL_READ|EVENTLOG_BACKWARDS_READ),0,$event); my $source = $event->{'Source'}; my $timewritten = $event->{'Timewritten'}; my $id = $event->{'EventID'} & 0xffff; #to get a readable EventId my $type = $event->{'EventType'}; my $category = $event->{'Category'}; my $strings = $event->{'Strings'}; my $computer = $event->{'Computer'}; my $eventmsg = $event->{'Message'}; #---System Common ------# if (length($sys_num_common) !=0 ) { my $fr_sys_num_common = qr/$sys_num_common/; if($id =~ /\b$fr_sys_num_common\b/) { $msg = "Common-Sys##Windows error-EventID:".$id."-".$eventmsg; print $out_sys $msg ; } } if (length($sys_string_common) !=0 ) { #print $eventmsg; if($eventmsg =~ m/$sys_string_common/i) { $msg = "Common-Sys##Windows error-EventID:".$id."-".$eventmsg; print $out_sys $msg; } } #----IIS System ----# if (length($sys_num_iis) !=0 ) { my $fr_sys_num_iis = qr/$sys_num_iis/; if($id =~ /\b$fr_sys_num_iis\b/) { $msg = "IIS##Windows IIS Event Log error-EventID:".$id."-".$eventmsg; print $out_sys $msg ; } } if (length($sys_string_iis) !=0 ) { #print $eventmsg; if($eventmsg =~ m/$sys_string_iis/i) { $msg = "IIS##Windows IIS Event Log error-EventID:".$id."-".$eventmsg; print $out_sys $msg; } } #-------Powerpath System ------# if (length($sys_num_powerpath) !=0 ) { my $fr_sys_num_powerpath = qr/$sys_num_powerpath/; if($id =~ /\b$fr_sys_num_powerpath\b/) { $msg = "Powerpath##Windows Powerpath Event Log error-EventID:".$id."-".$eventmsg; print $out_sys $msg ; } } if (length($sys_string_powerpath) !=0 ) { #print $eventmsg; if($eventmsg =~ m/$sys_string_powerpath/i) { $msg = "Powerpath##Windows Powerpath Event Log error-EventID:".$id."-".$eventmsg; print $out_sys $msg; } } } close($out_sys); }